Discussion:
Urgent Firebrick question
(too old to reply)
Richard Passman
2006-02-06 22:13:13 UTC
Permalink
Gents/Ladies

I tried to log on to IRC but no one seemed to chat back, so can only
assume that I failed in the IRC install process....

Heres the scenario;

Server 81.112.xx.173 needs to talk to 10.1.2.0/24

To get to 10.1.2.0/24 81.112.xx.173 talks through a firebrick and a
cisco VPN (router) gateway.

Background info;

(From Firebrick end)
Cisco site to site VPN Remote lan = 10.1.2.0/24
Cisco site to site VPN local Lan = 192.168.105.0/24

Cisco box gateway/IP = 192.168.105.2
Firebrick (Subnet set up) 192.168.105.1

Slight complication - cisco s-to-s vpn any comms must come from
192.168.105.x address

Server 81.112.xx.173 is on LAN side of Fb with stealth to outside world

So server sends packet to 10.1.2.24 (example) I have a mapping rule to
turn any comms from 81.112.xx.173 into a 192.168.105.4 packet and then I
route the packets to 192.168.105.2 address.

So it doesn't work... I don't want a complete answer more some clues....

Thanks

Richard Passman
Cliff Hones
2006-02-07 11:57:01 UTC
Permalink
Post by Richard Passman
Gents/Ladies
I tried to log on to IRC but no one seemed to chat back, so can only
assume that I failed in the IRC install process....
Heres the scenario;
Server 81.112.xx.173 needs to talk to 10.1.2.0/24
To get to 10.1.2.0/24 81.112.xx.173 talks through a firebrick and a
cisco VPN (router) gateway.
Background info;
(From Firebrick end)
Cisco site to site VPN Remote lan = 10.1.2.0/24
Cisco site to site VPN local Lan = 192.168.105.0/24
Cisco box gateway/IP = 192.168.105.2
Firebrick (Subnet set up) 192.168.105.1
Slight complication - cisco s-to-s vpn any comms must come from
192.168.105.x address
Server 81.112.xx.173 is on LAN side of Fb with stealth to outside world
So server sends packet to 10.1.2.24 (example) I have a mapping rule to
turn any comms from 81.112.xx.173 into a 192.168.105.4 packet and then I
route the packets to 192.168.105.2 address.
So it doesn't work... I don't want a complete answer more some clues....
Ok - here's a clue: How does the local Cisco know what to do with a
returning packet addressed to 192.168.105.4? As it is on the Cisco's
local subnet, the Cisco will use ARP. Does the FireBrick know it should
answer?

You can get the FireBrick to answer by putting in a routing rule for
this address and ticking "Proxy ARP".

An simpler alternative would be to change your mapping so the FireBrick changes
the source IP to its own IP. This will work fine for TCP/UDP where the FireBrick
will also automatically change the source port so it can recognize return
traffic, but won't work if you use other protocols.

I'd also suggest that you consider switching off stealth, and adding explicit
subnets and routing to your FireBrick. It shouldn't be necessary to do
this for your setup, but may help to make the setup simpler to understand and
maintain in the future. The stealth feature works well for simple installations,
but can lead to unexpected effects on a more complex network with mutliple
subnets and routers.
--
Cliff Hones
Andrews & Arnold Ltd./Firebrick Ltd.
Loading...